An increasing number of applications or services in the real as well as the virtual world like the Internet require authorization in order to get service access. For granting service access to a user, first of all the identity of the user must be verified or proved to the provider offering the service. This procedure is generally understood as the authentication of a user to a service provider. Examples for such applications or services are a login to a web server for information access, login to a Personal Computer (PC) or workstation, login to a corporate network or an Intranet, automated payment transactions, and also access to buildings, cars, and automated teller machines (ATMs).
In another example, to get access to a door, a personal identification number (PIN) has to be entered by the user, typically into a keypad located close to the door. The input number is checked and access is granted if the number is found to be valid, e.g. the by checking if the entered number matches a number stored in a memory. An alternative authentication mechanism for a door-opener is a magnetic card which has to be entered into a card reader mounted in the vicinity of the door. In this example, the card reader reads out the data stored on the magnetic card and checks, e.g. the correctness and validity of the data.
Magnetic or chip cards and card readers are also used for ATMs. Before getting access to an offered service, e.g. bank account monitoring, retrieving cash from an account, or payment transactions from an account to another account, the user has to enter his card into the card reader and to type in a PIN for authentication not only the device but also the user to the ATM. The combination of the card with the PIN enhances the security of the authentication mechanism compared to access situations wherein only one mechanism is used, e.g. only a card with card reader or only a PIN with keypad. Generally, the combination or concatenation of security mechanisms makes the authentication procedure more secure but requires more effort, e.g. by the user who has to handle a card and a PIN, or by the devices which become more complicated and may suffer from increased processing expense for carrying out the authentication procedure.
An authentication mechanism for getting service access on an open computer network consisting of distributed user workstations and distributed and/or centralized servers is Kerberos® (see e.g. W. Stallings, “Network and Internet Security”, Englewood Cliffs, N.J., Prentice-Hall, 1995, chapter 8.1). A Kerberos® system consists basically of a workstation of a user, a server, e.g. of a service provider, and a Kerberos® server comprising an authentication server and a ticket-granting server. The authentication server stores the passwords of all users and services in a secure database and issues tickets to users being already authenticated to the authentication server for getting access to the ticket-granting server, which supplies the user with tickets for multiple service access. A ticket contains the identity of the user, a session key, a time stamp, and other information, all encrypted by a secret key of the server of the service provider.
The basic Kerberos® authentication process for authenticating the user to the service provider proceeds as follows: the user logs on to a workstation, e.g. by entering a user identity and a password, and sends a request to the Kerberos® server requesting credentials for a given server of the service provider. The credentials consist of a ticket for the server of the service provider and a session key. The Kerberos® server responds with these credentials being encrypted with the user's key. The user decrypts the credentials and transmits the ticket to the server of the service provider together with a copy of the session key, all encrypted by the server's key, for authentication of the user to the service provider.
An online user authentication service is provided by Microsoft® Passport (see http://www.passport.com), especially for authentication to Internet services, e.g. access to web pages or Internet shopping. As a prerequisite, the user and the service provider have to subscribe to the authentication service and user and service provider related data are stored in the database of an authentication server. When the user logs into his PC or a wireless device supporting the Wireless Application Protocol (WAP) and demands access to a web page enabled to the authentication service, the user is redirected to the authentication server. In parallel, the service provider transmits a service provider identity and the associated internet address to the authentication server. The authentication server checks if an entry in the database is matched and authenticates the service provider. Similarly, the user authenticates himself to the authentication server by submitting his user identity and a password. Subsequently, the authentication server extracts an authentication identifier attributed to the user for authenticating the user to the service provider and incorporates the authentication identifier into an encrypted cookie. The cookie is stored on the PC of the user and an encrypted ticket comprising the authentication identifier is sent to the service provider for authentication of the user. After decryption of the ticket and extraction of the authentication identifier, the user is authenticated to the service provider and access to the service is granted to the user.
Authentication mechanisms as described above have in common that they aim to and are optimized for a specific access situation, e.g. only for login to a PC or network, or only for access to a service on the Internet, or only for access to a building, or only for access to an ATM. Applying such an authentication mechanism to another access situation fails. One reason for the non-interoperability of different authentication mechanisms is ascribed to the different technologies used for authentication, e.g. cards, PINs, or passwords. Even in the case that different authentication mechanisms make use of the same technology, different service providers typically require different peculiarities, e.g. typically a credit card cannot be used in the card reader in order to get access to a building. This situation is not very convenient for the user as he has to remember a large number of PINs, passwords, user names or aliases, and has to carry a large number of physical access devices like plastic cards or physical keys for access to buildings and cars. Especially the large number of PINs and passwords result in a very high access rejection rate, because users are simply not able to remember all the codes or mix them up. In addition, physical access devices can get lost or forgotten somewhere or be damaged in day-to-day use, preventing the user to get access.
Biometric authentication mechanisms provide a way to overcome these problems, because a biometric data set derived for example from a finger print or an iris of the user, is unambiguously linked to the individual user. However, the main problem with biometrics is that the biometric data set cannot be changed. If a biometric data set is disclosed, e.g. by a photocopy of a fingerprint, there are no means to generate a new set. Consequently, either the user is excluded from further access to services based on biometric authentication or the possibility of misuse arises.